search

rzr / generic-sensors-webthings

Sensors kit for RPI
https://purl.org/rzr/sensors
Mozilla Public License 2.0
4 stars 5 forks source link

CVE-2019-15657 (Medium) detected in eslint-utils-1.4.0.tgz #9

Closed mend-bolt-for-github[bot] closed 5 years ago

mend-bolt-for-github[bot] commented 5 years ago

CVE-2019-15657 - Medium Severity Vulnerability

Vulnerable Library - eslint-utils-1.4.0.tgz

Utilities for ESLint plugins.

Library home page: https://registry.npmjs.org/eslint-utils/-/eslint-utils-1.4.0.tgz

Path to dependency file: /mozilla-iot-generic-sensors-adapter/package.json

Path to vulnerable library: /tmp/git/mozilla-iot-generic-sensors-adapter/node_modules/eslint-utils/package.json

Dependency Hierarchy: - eslint-6.1.0.tgz (Root Library) - :x: **eslint-utils-1.4.0.tgz** (Vulnerable Library)

Found in HEAD commit: 53fd3100d3b59afe7b0b9f4e97c7da38acff5f5b

Vulnerability Details

In eslint-utils before 1.4.1, the getStaticValue function can execute arbitrary code.

Publish Date: 2019-08-26

URL: CVE-2019-15657

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15657

Release Date: 2019-08-26

Fix Resolution: 1.4.1

Step up your Open Source Security Game with WhiteSource here

rzr commented 5 years ago

Should be fixed with: https://github.com/rzr/mozilla-iot-generic-sensors-adapter/commit/549e584c981e090d9244b4eef80f22b0d1ca79c7#diff-32607347f8126e6534ebc7ebaec4853dR394

version to be released on next version of gateway